[Snort-users] Re: [fw-wiz] Sniffing on switched network
Roelof JT Jonkman
roel at ...47...
Wed Jan 9 12:28:03 EST 2002
> As far as the Suparstack are concerned, it seems it can only to this for
> one port (and not for all ports of the switch), and the "monitored" port and
> the "analyzing" one must be on the same physical switch.
Correct, you can only tie the 'Roving Analysis Port' (3com speak for port
mirroring) to one port, and not the backplane.
The solution is to make sure you pick the port that is the egress/ingress of
the switch, so you see all the traffic that is coming and going, however
your situation is far more complicated due to the stacking, and as such
you can really only observe the ingress/egress of the entire stack.
> Has anyone of you met this kind of need/switches config ? How did you solve
> it (other than changing switches to hub, which could be done in a last resort
> but I would prefer not to touch the physical components if possible) ?
The best solution is to tie the Roving Analysis Port to the port
that uplinks to the router/firewall, that way you catch any of the traffic
that is inbound/outbound at least. Another slight variation is to break the
stack, and use a regular 100BaseT connection between the two sub stacks, and
tie the roving analysis port to that. (Segregate the systems that you want
to monitor specifically with respect to the systems on the other stack.)
Another thing on these boxes is to keep firmware up to date, they have
quite a few quirks, particularly with regard to Multicast traffic.
Hope this helps you a little.....
More information about the Snort-users